[Samba] authentication problem

[Pisch Tamás]

> Not sysprepping is asking for problems.. Your computer SIDs are now the same.
Yes, I knew about the SID problem. I used NT4 style Samba, and I
didn't have problem with it. I use AD for 5 months. We have ~60 PCs
and laptops. We use Linux on some of them. I cloned them too.
I made a fresh install on a Windows client, and cloned it with
sysprep, but the same authentication problem appeared in 2-3 days. Any
other idea? I can connect to the sysvol on the DCs. Why DCs accept the
same clients?

> Always sysprep, im currently rolling out new w10 pc's atm
Ok, I will, but I'm not satisfied with it. I use the local
Administrator account, and I make some customization in that, but with
sysprep, I have to create a user, and then enable the Administrator
account after the first login. Ok, maye I need to read some docs about
it...

> Read: https://thesolving.com/server-room/when-and-how-to-use-sysprep/
>
> Tip, use this order to setup.
> - start a new computer, setup , at the first page the w10 install stops and is asking questions.
>  CTRL+SHIFT+F3, now it reboots and logs in as Administrator automaticly.
>  Configure the computer, install the needed software, everything you need/want.
>  ( NOTE, i only install/remove software, all other parts are done in GPO's. )
>  Cleanup the crap from W10.
>  runas Administrator Powershell:
>  and run : Get-AppxPackage -allusers | where-object {$_.name ?notlike "*store*"} | Remove-AppxPackage
>  the removed all crap apps, excludeing windows store ( adviced to keep that, can give problem to get it back )
>  run sysprep.
> - if you use fixed IP, first set the fixed IP, reboot
> - Change PC name, reboot
> - Add to domain, reboot
> Done, resulting in , alway correct DNS entries. ;-)
Thanks :)

Pisch Tamás <pischta at gmail.com> ezt írta (időpont: 2020. jan. 10., P, 10:37):
>
> > You also have these lines:
> >
> > logon path = ""
> > name resolve order = lmhosts host bcast
> >
> > You should remove these, they have no place in an AD smb.conf
>
> The smb.conf manpage mention that:
> 'Disable the use of roaming profiles by setting the value of this
> parameter to the empty string. For example, logon path = "".'
> I don't want roaming profiles, so I thought I need this parameter. Is
> it enough if user profiles has empty Profile Path entries?
> "Disabling of all roaming profile use requires that the user account
> settings must also be blank."
> What does it mean exactly?
> name resolve order: I removed this settings from dcs. man offers wins
> bcast settings for security = ADS, and SRV8 has that setting.
>
> > Now we come to a line that you should add to all the smb.conf files:
> >
> > winbind refresh tickets = yes
> >
> > This will ensure that your kerberos tickets will be refreshed.
>
> For this, I need libpam-winbind, according to the manual.
> I've read that:
> "Note: For a DC you do not need libpam-winbind libnss-winbind
> libpam-krb5, unless you require AD users to login "
> I think, to login locally. I don't want them to login locally, so I
> thought I don't want these on DCs. Do I really need libpam-winbind,
> and 'winbind refresh tickets' on DCs?
> I set it up on SRV8 and DC3.
>
> I still have the auth problem. 1-2 months ago I reinstalled the
> computhers that had this problem, and after that the authentication
> problem disappeared, but I wouldn't like to do it frequently.
> Another question, but might be related to this problem.
> I usually reinstall computers from clone image file, but I don't use
> sysprep. What problem(s) can cause that?